Last Updated on July 9, 2021
Cybersecurity Maturity Model Certification (CMMC) Level 3 compliance assessments are no longer “coming”—they are here. Are you ready? You’ll find out for sure when your chosen certified third-party assessment organization (C3PAO) performs your readiness assessment.
To help DIB orgs prepare for their CMMC assessments, a recent episode of The Virtual CISO Podcast features Stacy High-Brinkley, VP of Compliance Solutions at Cask, one of the first approved C3PAOs. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as always.
Readiness Assessment 101
What will your CMMC Level 3 readiness assessment look like? How in-depth will it go? And what will you need to have in place as a starting point?
“First off, they have to have their System Security Plan (SSP), and for their maturity they have to have their procedures, plans and policies in place with supporting documents, like HR and awareness training and everything that touches security in your company,” Stacy describes. “But the most important thing is the security implementation on all your assets—your networks, your firewalls, your VPNs, your laptops, your printers—everything that touches that network that transmits, stores or processes CUI (for a Level 3).”
“So that’s why it’s really important to scope it out,” emphasizes Stacy. “Maybe LVAN things off, have a total separate network for CUI… If you’re a large company it’ll be a lot quicker.”
A major concern for many companies is the identification of CUI: “Hopefully we’re going to be able to get some AI labeling in place or something,” Stacy half-jokes.
“That’s one of the most common complaints I hear,” John observes. “When we ask if they have CUI, they say, ‘Nothing is labeled that way…’ And we’re like, ‘Yeah, that doesn’t mean you don’t have CUI.’”
This is why getting started early with your preparation is so critical.
The importance of the SSP
“I assume your first sniff test is going to be that SSP?” John continues. “Because in a well-formed SSP you’re going to have the definition of the data; you’re going to have the definition of the assets that are in scope; hopefully you have a data flow diagram; you know who the key stakeholders are; you have an idea of how each of the 120 practices are actually being implemented…”
And I like in a good SSP to even have some indication of how you’re going to evidence each of those practices. That way, from an auditor’s perspective, they can walk in and they’ve got one consolidated package to look at,” comments John.
Other key documentation
Besides the SSP, what other documentation will you need for your readiness assessment?
“[Besides] the SSP—that’s your plan, right?—you need the policies that are in place for your company (that have been there, so you might need to update those) for all 17 CMMC domains,” advises Stacy. “And you also need procedures. Policies are ‘We say we do this.’ Procedures are ‘This is how we do it.’ So step-by-step on how you do things.”
“[Procedures are] really important so it can be a repeatable process and it can be proven that you’re doing that for maturity,” Stacy adds. “That’s what they’re foot-stomping to me, literally, when I talked to them today as we’re preparing for our [C3PAO assessment].”
“In the old, old days when we did DITSCAP, it was a paper drill,” shares Stacy. “No one went out and touched the boxes and ran these scans. But now it is not—it’s about ensuring that they’re secure; that they’re keeping that CUI data secure wherever it is, and that their documentation states that. That’s the most important thing.”
If you’ve got a CMMC Level 3 assessment in your near future, you’ll find this podcast episode with Stacy High-Brinkley extremely beneficial and informative.